Personal information and data protection

Personal information and data protection

On this page we detail the information we capture, how we store it and how we use it to provide our services. You can also find out how you can access your information and opt-out.

Medical information

For information about the medical information we hold, please visit our treatment and care page.

Find out more

Freedom of Information

For information about how to request other information we hold, please visit our Freedom of Information page.

Find out more

Covid-19 vaccinations for individuals

Plain English explanation

Part of the national response to the COVID-19 pandemic is the need to record the details of staff who have been vaccinated against COVID-19. Vaccinations are normally undertaken in GP practice or community settings. With COVID-19 vaccinations, this will be undertaken in a variety of care settings and for the majority of health and care staff, vaccinations will be managed by “lead providers” on behalf of local health and care organisations. It remains the choice of the individual whether to have the vaccine, but South London and Maudsley NHS Foundation Trust need to be able to share staff details with the lead providers to ensure all staff are given the chance to receive their vaccination in line with the national requirements. We must also record the details of the vaccination and share that information with your GP, so that your health records are kept up to date.

Across England, a variety of lead providers and systems are being used to manage the vaccination process, which covers staff requesting the vaccination, booking the appointment, and administering the vaccination. The sharing of this information is necessary to enable the coordinated and effective roll-out of this vaccination programme to staff. Some of these providers are non-NHS organisations, details of which are available upon request by contacting the data protection officer at the details below.

In addition, all staff working or deployed in a CQC registered care home (which provides accommodation together with nursing or personal care) in England must be fully vaccinated. In order to comply with this change to legislation, we are required to collect vaccination data which will be held as part of your personnel health record. The new mandatory vaccination rules will not just impact upon care home providers and care home staff; the rules will apply to anyone working or deployed in a care home (unless an exemption applies), regardless of their role, how often they are required to work in the care home, or, who employs them. The rules apply to volunteers, students, job applicants, workers visiting from non-care settings and visiting professionals. So this will include some Trust staff (and bank staff) who need to visit such premises in order to fulfil their role and deliver the Trust services.

1) Controller contact details
South London and Maudsley NHS Foundation Trust
Bethlem Royal Hospital
Monks Orchard Road
Beckenham
BR3 3BX

2) Data Protection Officer contact details
Claire Delaney-Pope
DPO@slam.nhs.uk

3) Purpose of the processing
The purpose of the processing along the data flows is to effectively deliver and document the administration of COVID-19 vaccinations to staff members within health and care organisations. Purpose is also required to ensure compliance with the Health and Social Care Act regulation which mandates staff to be double vaccinated if working in a CQC care home setting.

4) Lawful basis for processing
Under the General Data Protection Regulation (GDPR), the lawful basis for processing this data is found at Articles: 

6(1)(c) Processing is necessary for compliance with a legal obligation to which the controller is subject, 

6(1)(e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,

and

9(2)(h) Processing is necessary for the purposes of the provision of health or social care or treatment.

In addition, with the COVID-19 vaccination, we have an obligation to let your employer know that you have been vaccinated to support their obligation to safety in the workplace. The lawful basis for this processing is found at Articles:

6(1)(c) Processing is necessary for compliance with a legal obligation to which the controller is subject,

6(1)(e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,

and

9(2)(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment

9(2)(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health

The ‘Notice’ issued by the Secretary of State for Health sets aside the requirements of Common Law Duty of Confidentially for COVID-19 purposes, Regulation 4 Health Service Control of Patient Information Regulations 2002 provides that ‘information may be processed in accordance with these Regulations, notwithstanding any common law obligation of confidence’, meaning that identifiable patient data can be shared with other organisations where it is ‘necessary’ for a COVID-19 purpose.

Health and Social Care Act 2008 (Regulated Activities) (Amendment) (Coronavirus) regulations 2021.

5) Recipient or categories of recipients of the processed data
Your employing organisation, health and social care organisations, GPs, arm’s length bodies (such as NHS England, NHS Digital and Public Health England), local authorities, NHS-contracted organisations (who will be hosting the vaccination recording system in some settings).

6) Right to access and correct
You have the right to access the data that is being shared and have any inaccuracies corrected. You can exercise this right by contacting the organisation’s data protection officer, whose details are listed above. There is no right to have accurate medical records deleted except when ordered by a Court of Law.

8) Retention period
The data will be retained in line with the law and national guidance: https://www.gov.uk/government/publications/records-management-code-of-practice-for-health-and-social-care. Or speak to the organisation's data protection officer, whose details are listed above. 

9) Right to Complain
You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/

or call their helpline at 0303 123 1113 (local rate) or 01625 545 745 (national rate). There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website).

Covid-19 and your information - April 2020

Supplementary privacy note on Covid-19 for service users

This notice describes how we may use your information to protect you and others during the Covid-19 outbreak.

The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital, NHS England and Improvement, arms length bodies (such as Public Health England), local authorities, health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available on GOV.UK and some FAQs on this law are also available.

During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes national data opt-outs. However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to subject access requests, freedom of information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.

During this period of emergency we may offer you a consultation via telephone or video-conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Find further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response.

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.

In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.

Website information

Our website specific data collection and retentions policies are available here:

National data opt-out programme

South London and Maudsley NHS Foundation Trust is one of many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

How to opt out or for more information

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

Information about your data choice can be read in 11 different languages and opened in other formats too. To access other formats and languages, please visit the NHS website: Different languages and formats (NHS.uk)

You can also find out more about how patient information is used at:

https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and

https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Why we need your personal information

We need to collect information about you mainly to provide you with health and care services. This is in accordance with the statutory obligations under the NHS Act 2006 and Health and Social Care Act 2012.

The information that we collect is used for medical purposes that include:

  • Preventative medicine
  • Medical diagnosis
  • Medical research
  • Provision of direct care and treatment 


We collect your personal information so that your care team has accurate and up-to-date information to plan your treatment options.

Data protection law

The General Data Protection Regulation (GDPR) and Data Protection Act 2018 allow and regulate the processing of personal data. This includes where health and social care data are processed by a public authority, such as us.

Health and genetic data are amongst special categories of data requiring specific protection and are subject to additional controls. Public providers of health and care are expected to:

  1. Demonstrate satisfaction of conditions set out in Article 6 of the GDPR
  2. Satisfy a condition under Article 9 of the GDPR when processing special categories of data, such as data concerning health 

Under Article 6, processing is permitted where it is:
“Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1) (e)).

Commercial suppliers that work on behalf of the NHS (e.g. technology third-party suppliers to NHS Trusts), or private sections of public providers may also rely upon an alternative lawful basis. For example, where processing is necessary for the purposes of their ‘legitimate interests’ (Article 6(1)(f)).

Article 9(2) sets out the circumstances in which the processing of special categories of data, including data concerning health, which is otherwise prohibited, may take place. NHS Trusts as public bodies with healthcare provision as their statutory purpose, may process personal data where necessary to fulfil their public healthcare provision function, provided that they satisfy one of the following conditions:

9(2)(h) – Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis Domestic law or a contract with a health professional

Article 9(2) also sets out the circumstances in which the processing of data concerning health may take place in academic organisations. Universities as public bodies with research either incorporated in their core function or as their statutory purpose may process personal data where necessary to fulfil their public research function, provided that they satisfy one of the following conditions:

9(2)(h) – Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Domestic law or a contract with a health professional.

9(2)(i) - Necessary for reasons of public interest in the area of public health, such as protecting against serious cross- border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices.

Article 9 allows for the processing of a special category of personal data for health research where processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) [as supplemented by section 19 of the 2018 Data Protection Act] based on domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. (Article 9(2)(j))

This means that where it is necessary to process special categories of data, such as data concerning health, for research purposes, then that processing is permitted by the GDPR (under Article 9(2)(j)).”

What information we collect about you

Health and care organisations have a legal duty to keep complete, accurate and up-to-date information about your health. This is so that you can receive the best possible care, both now and in the future.

This information is known as your ‘health record’ and is stored securely on managed systems.

The information stored includes:

 Category

Data type

Identifiers

Your name, date of birth, NHS number

Contact details

Your address, telephone number, email address (if provided)

Support contact details

Names, contact details of carers, relevant close relatives, next of kin, representatives, and dependants

Physical, social or mental health situation or condition

Your medical history, treatments, test results, referrals, care plans, care packages, medication, medical opinions and other relevant support you are receiving

Protected characteristics

Your ethnicity, religion, sexual orientation, gender, which are required for equality monitoring and ensuring that the services are suitable and provided in the right way for the people being cared for 

Other information we may collect 

Criminal convictions, potential vulnerable characteristics for safeguarding purposes, risks (clinical and non-clinical risks)a

Where we get your information from

Most of the information we collect about you is from:
 

  • your GP
  • directly from you or a friend or relative
  • other health and care organisations


Information also comes from local authorities, schools and other government agencies.

Typically, we get information by referral. For example, if your GP decides you need an appointment with a hospital team or social care professional, they will provide those professionals with necessary information about you so that you can be supported appropriately. This may include identifiers, history, diagnosis and medications. This information is increasingly being made available electronically to improve the quality, safety and speed of delivery of care.

All care professionals and others working with them in care services have a legal duty to keep information about you confidential and secure and only use it for the purposes of providing and improving the care they provide. Similarly, anyone who receives information from us has a legal duty to keep it confidential.

Who we share your information with

We will share your information with those health and care partners who are directly involved in your care. These may include:

  • Local NHS hospitals
  • Your GP practice
  • Local voluntary and private care providers
  • Urgent and emergency care services, such as NHS 111 and the London Ambulance Service

You may be receiving care from other people as well as the NHS, for example social care services. Health and social care providers may need to receive or share some information about you if they have a genuine need. This may help them form a complete picture of your health needs and provide care and treatment that is most suited to your needs and preferences. They will only share information where it is necessary to providing the best standards for your care or with your permission.

We will not normally give your information to any other third party for any reason outside your individual care and treatment without your permission. However, there may be exceptional circumstances where we may do so, such as if someone’s health and safety is at risk or if the law requires us to pass on information.

See a short animation that explains how your personal data is used in health and care.

Find out about the structure of the NHS in England, core organisations and their roles.

Why we share your information

People often access a range of services available to them to support their health and care needs. Care organisations are increasingly providing services in regional partnerships.

The Trust works in regional care partnerships, such as King’s Health Partners and Our Healthier South East London.

These services are not restricted by geographical boundaries or by organisational structures. There is also crossover in the information these services need to make sure the care they deliver is safe and of the highest quality. Health and care services use a range of IT systems and increasingly there is the ability to share special category personal data between systems. Care professionals and others supporting your care use IT systems developed and monitored according to strict rules to share your personal data securely and lawfully.

If care services do not share information about you, then they may be making decisions without the best available information. This may affect the quality and safety of care they give you.

You have a legal right to opt out of having your data shared between your care professionals. However, you should be aware of the risks to the safety and the quality of the care you receive.

Sharing information helps care professionals to work together across organisational boundaries. Up-to-date information about your health and care improves the quality of clinical decision making by care professionals. Health and care providers are increasingly using digital technology, subject to strict rules, to further improve your health. We will make every effort to inform you about new digital technology and point you to resources to help you access and use it securely. We will always respect your right to opt out if you do not wish to make use of it.

Integrating your care with our partners

Your direct treatment

Health and care partners in south east London, such as your GP, hospitals, mental health, community and social care services, work together to make best use of your personal data to improve your treatment and care. This collaborative work helps us to build a more complete picture of all your health and care needs.

South East London Integrated Care Records (Local Care Record in Southwark, Lambeth and Bromley) (South-East London Care Record in Lewisham, Greenwich, and Bexley).

Integrated care records in south east London securely connect the electronic health record systems in your GP practice with similar systems in other care settings. These include south east London hospitals, care professionals in urgent and emergency care services (such as NHS 111 or 999), the London Ambulance Service and the National Record Locator Service, which is run by the NHS in England.

Integrating your care records means that your care teams can view your medications, previous treatments, test results and any other relevant care information at the touch of a button. This provides faster and improved communication between your health and care providers, making best use of clinical resources during your appointments or hospital stay.

Sharing health records is helping to improve your care by providing your care team with essential clinical information at the touch of a button. This reduces the need for repeated phone calls, missed fax messages and delayed letters.

Find more information about the integrated care records in London, including how to opt out of this form of data sharing here

The Local Care Record will be integrated with the London Care Record from May 2023. The London Care Record is a shared record that provides a complete picture of your health and care across all London health and care providers involved in your treatment and care.

Population Health Management

We also share your information with the Integrated Care System (ICS) to support a range of service and quality improvements. You can find out more about this activity, including the list of approved uses, on the ICS website here.

Personal health records

Your health and care providers such as your GP and hospitals are increasingly providing online secure platforms for you to access your health information.

GP online services is a secure online service, where you can book or cancel appointments, order repeat prescriptions, view parts of your GP record, including information about medication, allergies, vaccinations, previous illnesses and test results and some clinical correspondence such as hospital discharge summaries, outpatient appointment letters and referral letters.

Beth is a secure online platform for you, your carers and families and your care teams. It is a secure way for patients and carers to stay connected with their care team. Bett promotes supported self-management of your care with secure online options to improve communication between you, your carers and care professionals. It also provides you secure online access to information about your treatment and care.

Find out more

NHS Children and Young People’s Gender Service (London)

NHS Children and Young People’s Gender Service (London) is a partnership between South London and Maudsley NHS Foundation Trust, Evelina London Children’s Hospital (part of Guy’s and St Thomas’ NHS Foundation Trust) and Great Ormond Street Hospital for Children NHS Foundation Trust.

Together we are commissioned by NHS England to deliver one of the first regional centres for a new specialist service for children and young people experiencing gender related distress.

For patients whose care has transferred from the Gender Identity Development Service to the London regional centre, their data has moved from Tavistock and Portman NHS Foundation Trust and is now held by Great Ormond Street Hospital for Children NHS Foundation Trust on their electronic patient record system. 

Great Ormond Street Hospital for Children NHS Foundation Trust’s privacy notice details how they hold and process personal data. More information is available on Great Ormond Street Hospital’s website

Other uses of your personal information

Using information for commissioning or regulatory compliance

Commissioning is when organisations plan and pay for health care services. Health and care commissioners need information from your GP practice, hospitals and other care providers about your treatment to review and plan health services. To do this, they need to be able to see information about your care but they do not need to know who you are.

The commissioners use intermediary services called Data Services for Commissioners Regional Office (DSRCO). DSRCOs specialise in analysing and converting coded clinical information within a secure environment into a format that commissioners can legally use. This is specific data about your care that does not reveal your identity or contact details.

NHS Digital, formally known as the Health and Social Care Information Centre (HSCIC), can provide coded data about your care securely to commissioners under the Health and Social Care Act (2012).

NHS Digital, through its DSCROs, is allowed by law to collect, hold and process your personal data. This is for purposes beyond direct patient care, to support care commissioning organisations and the commissioning functions within local authorities.

Service evaluation contributes to the overall quality and effectiveness of clinical services to you and a group of people with a similar condition. This routine quality assessment of care services falls outside the scope of your direct care. It covers:

  • Care services management
  • Preventative care and medicine
  • Health and social care research

Service evaluations are routinely undertaken using anonymised data. Where identifiable information is to be used, we will always do it lawfully and securely in a way that will always protect your privacy.

How we use your information for research

We are working to find ways to develop better treatments for care. The information in your health records can be used to help researchers in slam understand more about the causes of illnesses and how best to treat them. We follow strict rules to make sure your personal data is always kept secure and confidential. Where possible, we take out any information that could identify you, such as your name, address and postcode. If we cannot practically take out such information, it is our legal responsibility to ask for your explicit permission (consent).

We have developed a system that helps us to carry out research and Trust audits using information from the Trust’s clinical records. We call this system CRIS: the Clinical Record Interactive Search system. CRIS is safe and secure - it does not reveal your personal details.

We believe CRIS can make a real and positive difference to future treatments and care.

What sort of things will CRIS help with?

CRIS helps us to look at real life situations in large quantities. This means it’s easier to see patterns and trends – e.g. what works for some and doesn’t for others.

We may link information about your treatment and care in the Trust with other aspects of your healthcare (data linkage). This will help to improve physical and mental health as a whole. As an example, information about patients who had both mental health illness and cancer was linked to look at the impact of mental illness on cancer survival rates. We have also created a linkage with local GP records to help us learn how to improve the physical health of patients with severe mental illness.

How are your personal details protected?

CRIS transforms clinical information so that it is anonymous. Your clinical details can be used in research but your personal details cannot. The system removes or covers up any information that can identify you. Your name, the name of your carer, your full date of birth, address, postcode and phone numbers are replaced with ‘ZZZZZ’

In order to carry out data linkages we sometimes need to share identifiable information (for example NHS number, name, and date of birth) to trusted third parties, such as NHS Digital. The purpose of this and data security arrangements is always reviewed by the Health Research Authority before being permitted under Section 251 of the NHS Act 2006. This permission enables temporary use of identifiers for accurate linkage. This is always done in a secure environment. Once records have been linked, all identifiable information is destroyed and the data are fully anonymised prior to it being used for any research. Patients who have chosen to opt out via the NHS national Opt-Out system are excluded from these linkages. 

Full information on all data linkages with CRIS can be found on the following website: 

www.maudsleybrc.nihr.ac.uk/cris-data-linkages/

CRIS has received ethical approval from an independent (non-Trust) research ethics committee, as a safe, secure and confidential information source for research.

 We will continue to seek the permission of independent organisations outside the Trust to assess our arrangements. This is to make sure that the security of your information and your confidentiality is always protected. 

Who can access CRIS?

CRIS is available only to researchers who have a contract with the Trust. These researchers might work in collaboration with other organisations (both ‘not-for-profit’ and ‘for-profit’). The information in CRIS is protected by strict Trust information security. It cannot be accessed or taken outside the Trust in any form.

What can I do if I want to find out more? 

We are keen to share information about CRIS with service users, carers and staff. Information about CRIS can be found on our website:   www.maudsleybrc.nihr.ac.uk/CRIS .  

Alternatively, if you have any questions, or if you would rather not have your records in CRIS and/or linked with external datasets, please contact us: 

Email: cris.administrator@slam.nhs.uk

Telephone: 020 3228 8553 

Research recruitment (consent for contact)

You can give your care coordinator an advance permission for researchers to contact you in the future if you match the criteria of a trial. Your advance permission, known as ‘consent for contact’ will be noted in your health records. You will only hear from a research nurse, who will explain what that study will entail in more detail. You can find more information about consent for contact and ways to sign up for future research.

Partnership with the AI Centre for Value Based Healthcare

South London and Maudsley is a partner of the AI Centre for Value Based Healthcare. There is a strict oversight process and controls on how your information could be used under the AI Centre. These include anonymisation or pseudonymisation of data. You can read more about data use in the AI Centre on their website: AI Centre.

Other ways your information is used

We may also use your personal data in the following areas:

  • Any complaints you have made about services
  • Any incidents you may have been involved in while you were receiving treatment and care from us
  • Any paid, un-paid work with us, including your involvement in volunteering, public engagement or other projects (eg social, community, art, consultation) we run solely or with partners
  • Any training, education, supervision delivered to you by us
  • CCTV (closed-circuit television) and use of multimedia device

How we keep your information secure

As a health and care provider, we store and use large volumes of sensitive personal data every day, such as your health records. Your health records are stored electronically.

Other personal data and computerised information are stored on various other systems across your health and care providers. These systems are managed by NHS IT departments or under contract with an approved public framework supplier.

Find more information on how your information is kept securely on NHS information systems

Important information used by the Trust

Purpose

System name

Electronic health records

ePJS

Electronic staff records

ESR

Complaint and incident records

Datix

Clinical observations

eOBS

Clinical incident records

SafeCare

Personal health records

Beth

Business intelligence

Microsoft BI

Translational research using de-identified data

CRIS (research pipeline)

Internal staff communication

Intranet

Staff rosters

eRoster

Workforce recruitment

TRAC

Workforce candidate screening and management

  Indeed

Workforce training and professional development

LEAP

Enterprise network and email

Office365 / UK Azure Cloud

Finance system

eFinancials

Procurement system

eProcurement (eFinancials module)

Invoicing system

ITSOFT

Contracts monitoring

Soles

IT service desk

BMC

Estates and facilities helpdesk

PlanetFM

VoIP

Cloud Telephony

Electronic prescription service

 ePMA

Electronic health records for Improving
Access to Psychological Therapies services		 IAPTus

Body worn camera recording hosting

 DEMS 360

The information we collect is used by people in their work for the purposes stated in this notice. We take our duty to protect your personal information and confidentiality very seriously. We are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.

  • We encrypt all outgoing email containing personal data
  • We review our information collection, storage and processing practices, including physical security measures, to guard against unauthorised access to systems
  • We provide training to all staff on how to handle all types of data
  • We manage and retain records in line with the NHS Records Management Code of Practice

At the most senior level, we have:

  • A senior information risk owner who is accountable for the management of all information and any associated risks and incidents
  • A Caldicott Guardian who is responsible for the management of patient information and patient confidentiality
  • A data protection officer oversees all activities related to the use of data. They make sure data use is done within the law and best practice

You can contact these senior responsible officers by emailing us via dataprotectionrequests@slam.nhs.uk or writing to:

Information Governance
Maudsley Hospital
Denmark Hill
London
SE5 8AZ

Your legal rights

You have several rights under the data protection law:.

Your request must be made to the following address:

South London and Maudsley NHS Foundation Trust
Information Governance Office
Maudsley Hospital
Denmark Hill
London
SE5 8AZ

Email: dataprotectionrequests@slam.nhs.uk

a. Right to be informed: you have a right to be informed about uses of your information, with an emphasis on transparency. This fair processing notice, in support of other privacy notices makes sure that your right to be informed is upheld.

b. Right of access: you have a right to receive:

  • Confirmation of what information is recorded about you
  • Confirmation of how your information is used
  • Access to your personal health information and other information we hold

To exercise your right of access, you will be asked to complete a subject access request form (SAR), provide proof of identification and may be asked to explain exactly what information you require. This is not compulsory, however it will make it easier to deal with your request and for you to include all the details we might need to locate your information.

You will not be charged for this service.

Other people can also apply to access your health records on your behalf. These include anyone authorised by you in writing (such as a solicitor), or any person appointed by a court to manage your affairs if it decides you cannot manage them yourself.

c. Right to rectification: rectification means correcting inaccuracies or incomplete data we hold about you. This often applies to factual information only such as identifiers and next of kin. We are unable to remove or alter professional opinions that you may disagree with. You do however have the right to include your personal statements alongside professional opinions.

To rectify your information please contact your clinical team.

d. Right to deletion: in some circumstances you can request that we delete the information we hold about you. This right will apply only if the processing has been based on consent which is withdrawn, the processing of data is found not to be lawful or the information is no longer required. We will tell you about activities to which this right applies

There are exceptions to the right to deletion. Your health and care providers are legally required to maintain your records in accordance with the retention guide in the Record management code of practice for health and social care

e. Right to object: you do not have a general right to object to processing of your personal information for your individual care, however you can object if the information is used for a secondary purpose, such as:

  • Marketing
  • Scientific or historical research
  • Statistical purposes
  • Purposes in the public interest or under an official authority (e.g. NHS Act 2006)
  • Public patient involvement groups

f. Right to restrict processing: the right to restrict processing means that, if you have disputed the accuracy of information, objected to its use or require data due for destruction to be maintained for a legal claim, you can have the data stored by the Trust but not allow other uses until the dispute is settled. To request restriction to processing, please contact the data protection officer.

We will respect your rights under the data protection legislation whether you are an adult or a child. We will respect the wishes of parents’ (or legal guardians’) in respect of data rights of children who are younger than 14 years old.

You should also tell us how you would like us to contact you. Your preferences may include post, text messaging and phone. You should notify your care team about your preferences and ask it to be recorded in your health and care record. You can change your mind later as long as you give timely notifications to your care team about any changes to your preferences.

What other information we collect

We collect information on all staff we employ, as well as volunteers, people with honorary contracts and agency staff for the purposes of running our services. We use the information for administrative, academic and statutory purposes and to support health and safety.

The information we collect includes:

Data type

Purpose of collecting

Names, addresses and telephone numbers

Employment contracting

Spouse, partner, emergency contact, close relative, next of
kin names, address, telephone and email details

Emergency contact

Employment records (including professional membership,
references, appraisals, professional development plans,
education and training records)

Statutory requirement of employment, performance management, professional development

Bank, National Insurance number and pension details

Payment of salaries and other expenditure claims

Nationality / domicile

Proof of eligibility to work in the UK

Ethnicity

Equality monitoring, equal opportunities

Medical information including physical health or mental
condition

Appropriate adjustments to work arrangements, management of disability rights and other occupational health services

Religious beliefs

Spiritual support, equal opportunities, equality monitoring


NHS Shared Business Services provide electronic staff records and other corporate systems, such as employment and finance.

Other bodies

There are some exceptional circumstances where we must share information with official bodies or other organisation about employees without their express permission. These include circumstances owing to a legal or statutory obligation. These bodies may include:

  • Disclosure and Barring Service
  • Home Office
  • Her Majesty’s Revenue and Customs (HMRC)
  • financial institutes, for example banks and building societies for approved mortgage references
  • educational, training and academic bodies
  • Department for Work and Pensions (DWP)

National Opt Out Programme

South London and Maudsley NHS Foundation Trust is one of many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • Improving the quality and standards of care provided
  • Research into the development of new treatments
  • Preventing illness and diseases
  • Monitoring safety
  • Planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

How to opt out or for more information

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters or phoning 0300 3035678.  

(NB – you cannot opt out via your GP or via our Trust – only via the above contacts.)

On the web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and

https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

If you want to complain

If you think that information in your NHS health records is wrong, please talk to the health professional looking after you and ask to have the record amended. You can also ask for the information to be amended by contacting the Information Governance team, if your request to have your records amended is not upheld because it is not deemed that the information is factually incorrect, we will add a statement of your views to the record.

Information Governance Team
South London and Maudsley NHS Foundation Trust
Maudsley Hospital
Denmark Hill
London
SE5 8AZ

Telephone: 020 3228 5174

Email: InformationGovernance@slam.nhs.uk 

If you are unhappy with our response, you have the right to complain to the Information Commissioner’s Office (ICO), which regulates and enforces the Data Protection Act.

For details of how to do this:

visit the ICO website at www.ico.org.uk

Further information

Please talk to the team looking after you if you want to know more about how we use your health records, or if you do not want your information used in any of the ways described in this leaflet.

Patient Advice and Liaison Service (PALS)

Freephone 0800 731 2864 or email us via pals@slam.nhs.uk

NHS UK

Provides online information and guidance on all aspects of health and healthcare, to help you make choices about your health: https://www.nhs.uk/.

Become a member

By becoming joining us as a member you can help shape our work and provide us with feedback, local knowledge and support.

Find our more

Global Banner